Healthcare Data Breach Report in March 2020

The number of reported healthcare data breaches decreased in March 2020 by 7.69%. The number of breached records also decreased by 45.88%.

In March, there were 36 healthcare data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights (OCR). That figure is about 16% less than the 12-months average cases of monthly breaches. March had 828,921 healthcare records breached. That figure is 194% more than the monthly average number of breached healthcare records.

The medical device maker Tandem Diabetes Care reported a big phishing attack. The compromise of the email accounts of a number of employees resulted in the exposure of the protected health information (PHI) of 140,781 patients.

Brandywine Urology Consultants reported the third biggest data breach for March. A ransomware attack resulted in the potential compromise of 131,825 patients’ data. The Randleman Eye Center and Affordacare Urgent Care Clinics also had incidents of ransomware attacks.

Golden Valley Health Centers, Washington University School of Medicine, and the Otis R. Bowen Center for Human Services also reported data breaches due to phishing attacks. Stephan C Dean reported a breach due to email hacking not related to a phishing attack. OneDigital Health and Benefits also reported a breach involving laptop computer theft.

Causes of Healthcare Data Breaches

The number one cause of breaches is hacking/IT incidents, with 19 incidents accounting for 52.78% of the total breaches this month. There were 782,407 records breached accounting for 94.38% of all breached records in March. The average and mean breach sizes were 41,179 records and 10,700 records, respectively.

The 9 incidents of unauthorized access/disclosure accounted for 25% of the total breaches this month. The 15,071 breached records made up 1.81% of all breached records this month. The average and median breach sizes were 1,674 records and 910 records, respectively.

The 6 incidents of paperwork/electronic devices theft accounted for 16.66% of the month’s breaches. There were 30,107 stolen patient records, which accounted for 3.63% of all of March’s breached records. The average and median breach sizes were 5,017 records and 1,595 records. Two incidents of loss were reported affecting 1,336 records.

The location of 50% of breached PHI was email accounts, mostly because of phishing emails. Protecting email accounts and stopping phishing attacks is the biggest concern.

HIPAA Enforcement in March 2020

The HHS’ Office for Civil Rights or state attorneys general did not issue any enforcement actions in March 2020. However, there was some news reported on the HIPAA enforcement front.

Due to the SARS-CoV-2 Novel Coronavirus crisis, OCR declared an enforcement discretion. No financial penalties will be issued on covered entities and business associates because of noncompliance with specific facets of HIPAA Rules.

OCR announced three Notices of Enforcement Discretion in March associated with

the good faith provision of telehealth services
good faith engagement in the functions of COVID-19 testing facilities
the PHI uses and disclosures by business associates to public health professionals